For folks who aren't aware or simply don't remember: back in the late 2000s and early 2010s, a lot of PC vendors started leveraging UEFI to add special features to their machines, particularly laptops. A lot of these "features" were hideous hackjobs that presented more of a security threat than a value-add. I'm certain there are all sorts of vendor-specific UEFI vulns to be discovered thanks to those machines.
HP, for example, had a standalone UEFI app that provided a simple interface into Outlook that only took a couple seconds to boot. They also had a program that embedded itself into their laptops' SMM that showed your Outlook calendar while Windows was booting.
> Article then proceeds to describe a toy GRUB wrapper bootkit that has nothing to do with UEFI firmware (other than running on UEFI systems like any other UEFI bootloader), does not persist in UEFI firmware whatsoever (it just is installed in the ESP partition on disk), and can be killed by not just a drive swap, but any OS reinstall, and even simply a GRUB update/reinstall.
> In fact, it has an obvious mistake, touched on by the original article: LD_PRELOAD is set to a string trailing with " /init", no doubt a copy+paste of the command line used to achieve the same execution during testing. ...
> Furthermore, this bootkit is incomplete, since it relies on chaining into components installed via another mechanism (e.g. /opt/injector.so in the initramfs). A true bootkit only relies on its own first stage to drop all subsequent stages. That's the whole point of setting up a boot chain compromise like this. Otherwise you can defeat it by removing any of the stages, even if the bootkit stage is intact. As it stands, this bootkit isn't really a bootkit, it's just a module signing side-step that allows a traditional rootkit to be loaded on a system with Secure Boot enabled (and, since the Secure Boot is still working as intended, that results in a prompt on the first reboot asking the user to install the "bootkit"'s certificate into the UEFI trusted certificate store, since it is obviously not trusted by default). So it can't even be installed without clear warning to the user that something is wrong.
> ... The original article clearly mentions how to kill this "unkillable" bootkit, which tells me you didn't even read the original article all the way.
For folks who aren't aware or simply don't remember: back in the late 2000s and early 2010s, a lot of PC vendors started leveraging UEFI to add special features to their machines, particularly laptops. A lot of these "features" were hideous hackjobs that presented more of a security threat than a value-add. I'm certain there are all sorts of vendor-specific UEFI vulns to be discovered thanks to those machines.
HP, for example, had a standalone UEFI app that provided a simple interface into Outlook that only took a couple seconds to boot. They also had a program that embedded itself into their laptops' SMM that showed your Outlook calendar while Windows was booting.
That's simultaneously really cool and horrifying.
Original article, with the technical analysis of the bootkit:
https://www.welivesecurity.com/en/eset-research/bootkitty-an...
From the article: "To date, ESET has found no evidence of actual infections in the wild." It was uploaded to some service though.
> Article then proceeds to describe a toy GRUB wrapper bootkit that has nothing to do with UEFI firmware (other than running on UEFI systems like any other UEFI bootloader), does not persist in UEFI firmware whatsoever (it just is installed in the ESP partition on disk), and can be killed by not just a drive swap, but any OS reinstall, and even simply a GRUB update/reinstall.
> In fact, it has an obvious mistake, touched on by the original article: LD_PRELOAD is set to a string trailing with " /init", no doubt a copy+paste of the command line used to achieve the same execution during testing. ...
> Furthermore, this bootkit is incomplete, since it relies on chaining into components installed via another mechanism (e.g. /opt/injector.so in the initramfs). A true bootkit only relies on its own first stage to drop all subsequent stages. That's the whole point of setting up a boot chain compromise like this. Otherwise you can defeat it by removing any of the stages, even if the bootkit stage is intact. As it stands, this bootkit isn't really a bootkit, it's just a module signing side-step that allows a traditional rootkit to be loaded on a system with Secure Boot enabled (and, since the Secure Boot is still working as intended, that results in a prompt on the first reboot asking the user to install the "bootkit"'s certificate into the UEFI trusted certificate store, since it is obviously not trusted by default). So it can't even be installed without clear warning to the user that something is wrong.
> ... The original article clearly mentions how to kill this "unkillable" bootkit, which tells me you didn't even read the original article all the way.
- Hector Martin, https://social.treehouse.systems/@marcan/113560945800582652
Dupe: https://news.ycombinator.com/item?id=42259775
I could swear i've seen EFI Bootkits for Linux a decade ago.
seems to be a dup
https://news.ycombinator.com/item?id=42262525